Lecture 3.1: Public Key Cryptography I CS 436/636/736 Spring 2015 Nitesh Saxena Today s Informative/Fun Bit Acoustic Emanations http://www.google.com/search?source=ig&hl=en&rlz=&q=keyboard+acoustic+em anations&btng=google+search http://tau.ac.il/~tromer/acoustic/ 2 1
Course Administration HW1 posted due at 11am on Feb 2 (Mon) Any questions? Regarding programming portion of the homework Submit the whole modified code that you used to measure timings Comment the portions in the code where you modified the code Include a small readme for us to understand this 3 Outline of Today s Lecture Public Key Crypto Overview Number Theory Modular Arithmetic 4 2
Recall: Private Key/Public Key Cryptography Private Key: Sender and receiver share a common (private) key Encryption and Decryption is done using the private key Also called conventional/shared-key/single-key/ symmetric-key cryptography Public Key: Every user has a private key and a public key Encryption is done using the public key and Decryption using private key Also called two-key/asymmetric-key cryptography 5 Private key cryptography revisited. Good: Quite efficient (as you ll see from the HW#1 programming exercise on AES) Bad: Key distribution and management is a serious problem for N users O(N 2 ) keys are needed 6 3
Public key cryptography model Good: Key management problem potentially simpler Bad: Much slower than private key crypto (we ll see later!) 7 Public Key Encryption Two keys: public encryption key e private decryption key d Encryption easy when e is known Decryption easy when d is known Decryption hard when d is not known We ll study such public key encryption schemes; first we need some number theory. 8 4
Public Key Encryption: Security Notions Very similar to what we studied for private key encryption What s the difference? 9 Group: Definition (G,.) (where G is a set and. : GxG G) is said to be a group if following properties are satisfied: 1. Closure : for any a, b G, a.b G 2. Associativity : for any a, b, c G, a.(b.c)=(a.b).c 3. Identity : there is an identity element such that a.e = e.a = a, for any a G 4. Inverse : there exists an element a -1 for every a in G, such that a.a -1 = a -1.a = e Abelian Group: Group which also satisfies commutativity, i.e., a.b = b.a 10 5
Groups: Examples Set of all integers with respect to addition -- (Z,+) Set of all integers with respect to multiplication (Z,*) not a group Set of all real numbers with respect to multiplication (R,*) Set of all integers modulo m with respect to modulo addition (Z m, modular addition ) 11 Divisors x divides y (written x y) if the remainder is 0 when y is divided by x 1 8, 2 8, 4 8, 8 8 The divisors of y are the numbers that divide y divisors of 8: {1,2,4,8} For every number y 1 y y y 12 6
Prime numbers A number is prime if its only divisors are 1 and itself: 2,3,5,7,11,13,17,19, Fundamental theorem of arithmetic: For every number x, there is a unique set of primes {p 1,,p n } and a unique set of positive exponents {e 1,,e n } such that e x p1 1 *... * pn en 13 Common divisors The common divisors of two numbers x,y are the numbers z such that z x and z y common divisors of 8 and 12: intersection of {1,2,4,8} and {1,2,3,4,6,12} = {1,2,4} greatest common divisor: gcd(x,y) is the number z such that z is a common divisor of x and y no common divisor of x and y is larger than z gcd(8,12) = 4 14 7
Euclidean Algorithm: gcd(r 0,r 1 ) Main idea: If y = ax + b then gcd(x,y) = gcd(x,b) r q r r 0 1 1 2 r q r r 1 2 2 3... r q r r m 2 m 1 m 1 m r m 1 q r m m 0 gcd( r, r ) gcd( r, r )... gcd( r, r ) r 0 1 1 2 m 1 m m 15 37 = 2 * 15 + 7 15 = 2 * 7 + 1 7 = 7 * 1 + 0 gcd(15,37) = 1 Example gcd(15,37) 16 8
Relative primes x and y are relatively prime if they have no common divisors, other than 1 Equivalently, x and y are relatively prime if gcd(x,y) = 1 9 and 14 are relatively prime 9 and 15 are not relatively prime 17 Modular Arithmetic Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: x y(modm) 14 5(mod 9) We work in Z m = {0, 1, 2,, m-1}, the group of integers modulo m Example: Z 9 ={0,1,2,3,4,5,6,7,8} We abuse notation and often write = instead of 18 9
Addition in Z m : Addition is well-defined: if x x'(modm) y y'(modm) then x y x' y'(modm) 3 + 4 = 7 mod 9. 3 + 8 = 2 mod 9. 19 Additive inverses in Z m 0 is the additive identity in Z m x 0 x(modm) 0 x(modm) Additive inverse of a is -a mod m = (m-a) Every element has unique additive inverse. 4 + 5= 0 mod 9. 4 is additive inverse of 5. 20 10
Multiplication in Z m : Multiplication is well-defined: if x x'(modm) y y'(modm) then x y x' y'(modm) 3 * 4 = 3 mod 9. 3 * 8 = 6 mod 9. 3 * 3 = 0 mod 9. 21 Multiplicative inverses in Z m 1 is the multiplicative identity in Z m x 1 x(modm) 1 x(modm) Multiplicative inverse (x*x -1 =1 mod m) SOME, but not ALL elements have unique multiplicative inverse. In Z 9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6,, so 3 does not have a multiplicative inverse (mod 9) On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1 =7, (mod 9) 22 11
Which numbers have inverses? In Z m, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 E.g., 4 in Z 9 23 Extended Euclidian: a -1 mod n Main Idea: Looking for inverse of a mod n means looking for x such that x*a y*n = 1. To compute inverse of a mod n, do the following: Compute gcd(a, n) using Euclidean algorithm. Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1. So you can obtain linear combination of r m and r m-1 that yields 1. Work backwards getting linear combination of r i and r i-1 that yields 1. When you get to linear combination of r 0 and r 1 you are done as r 0 =n and r 1 = a. 24 12
Example 15-1 mod 37 37 = 2 * 15 + 7 15 = 2 * 7 + 1 7 = 7 * 1 + 0 Now, 15 2 * 7 = 1 15 2 (37 2 * 15) = 1 5 * 15 2 * 37 = 1 So, 15-1 mod 37 is 5. 25 Modular Exponentiation: Square and Multiply method Usual approach to computing x c mod n is inefficient when c is large. Instead, represent c as bit string b k-1 b 0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z 2 mod n if b i = 1 then z = z* x mod n 26 13
Example: 30 37 mod 77 z = z 2 mod n if b i = 1 then z = z* x mod n i b z 5 1 30 =1*1*30 mod 77 4 0 53 =30*30 mod 77 3 0 37 =53*53 mod 77 2 1 29 =37*37*30 mod 77 1 0 71 =29*29 mod 77 0 1 2 =71*71*30 mod 77 27 Other Definitions An element g in G is said to be a generator of a group if a = g i for every a in G, for a certain integer i A group which has a generator is called a cyclic group The number of elements in a group is called the order of the group Order of an element a is the lowest i (>0) such that a i = e (identity) A subgroup is a subset of a group that itself is 1/21/2015 a group Public Key Cryptography -- I 28 14
Lagrange s Theorem Order of an element in a group divides the order of the group 29 Euler s totient function Given positive integer n, Euler s totient function (n) is the number of positive numbers less than n that are relatively prime to n ( p) p 1 Fact: If p is prime then {1,2,3,,p-1} are relatively prime to p. 30 15
Euler s totient function Fact: If p and q are prime and n=pq then ( n) ( p 1)( q 1) Each number that is not divisible by p or by q is relatively prime to pq. E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} pq-p-(q-1) = (p-1)(q-1) 31 Euler s Theorem and Fermat s Theorem If a is relatively prime to n then ( a n ) 1modn If a is relatively prime to p then a p-1 = 1 mod p Proof : follows from Lagrange s Theorem 32 16
Euler s Theorem and Fermat s Theorem EG: Compute 9 100 mod 17: p =17, so p-1 = 16. 100 = 6 16+4. Therefore, 9 100 =9 6 16+4 =(9 16 ) 6 (9) 4. So mod 17 we have 9 100 (9 16 ) 6 (9) 4 (mod 17) (1) 6 (9) 4 (mod 17) (81) 2 (mod 17) 16 33 Some questions 2-1 mod 4 =? What is the complexity of (a+b) mod m (a*b) mod m x c mod (n) Order of a group is 5. What can be the order of an element in this group? 34 17
Further Reading Chapter 4 of Stallings Chapter 2.4 of HAC 35 18